Sergei Golubchik

4 exploits Active since Feb 2020
CVE-2026-3494 WRITEUP MEDIUM WRITEUP
MariaDB <=11.8.5 - Audit Log Bypass
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
CVSS 4.3
CVE-2026-3494 WRITEUP MEDIUM WRITEUP
MariaDB <=11.8.5 - Audit Log Bypass
In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged.
CVSS 4.3
CVE-2020-13249 WRITEUP HIGH WRITEUP
MariaDB Connector/C <3.1.8 - Info Disclosure
libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadb_lib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle.
CVSS 8.8
CVE-2020-7221 WRITEUP HIGH WRITEUP
Mariadb < 10.4.11 - Symlink Following
mysql_install_db in MariaDB 10.4.7 through 10.4.11 allows privilege escalation from the mysql user account to root because chown and chmod are performed unsafely, as demonstrated by a symlink attack on a chmod 04755 of auth_pam_tool_dir/auth_pam_tool. NOTE: this does not affect the Oracle MySQL product, which implements mysql_install_db differently.
CVSS 7.8